Cisco CCNP Security 300-710 SNCF – Cisco NGFW Firepower Threat Defense (FTD) Part 5

33. Lecture-33:Introduction and Concept of Access Control Policies.

First thing which we will do is policy. A lot of policies are there by the way, one by one we will do if we go to policies. So Access Control Policy, intrusion policy, malware and file policies, DNS policy, identity policy, SSL policy and prefilter policy we will call all these. So it means we start Access Control Policy which we will cover one by one of these. Okay? So let’s start. The first one is access control policy. What is access control policy? It’s same like an ACL in Cisco SA firewall. Excess Control Policy like ACL in Cisco in any other firewall, like a policy firewall, we have security policy and 40 gate and checkpoint. We have also a policy to allow or deny someone, to block or allow someone and also to generate the logs. In Excess Control Policy, whenever somebody hit the policy, it will generate the logs. This is called Excess Control Policy. But keep in mind ACL and Cisco SA firewall and Access Control Policy and fire power is different. ACL only work up to layer three, while Access Control Policy can work up to layer seven. Layer seven means it can include application, user identity zone, URL and so many things. You can include an excess control policy.

The policy can be configured by user, by IP, by URL, by zone, by application. But in ACL you can now do ACL can maximum go to layer three and layer four. But Access Control policy, you can go up to layer seven. Yeah, the concept is similar, it will check from top to bottom and left to right. So it will be checked from top to bottom and left to right. And you can include so many things in this policy. Let me show you, it better to show you there as well. So let’s go to policy and access control. Policy. That’s the main policy camp. Keep in mind, nothing will go from one zone to another zone until an unless you allowed or deny here. So everything is focused on this Excess control policy. Like last time, we say allowed all and you can create rule. Rule is nothing but like an excess list command one command which we create excess list one, deny this. This same thing is here. First one is the name of the rule. Suppose I say ABC and this means enable this rule. If you uncheck, it means this rule will be there, but it will be disabled and we have to put this rule by default.

We will discuss a bit later. There is two category by default, mandatory and deferred. Mandatory means it is must and it will check first. And deferred means the last one which will be checked and last. And then we have to put the rule above or below because one rule is already there. If you check that’s why it’s showing you above and below. You see one rule is there, which is one. And also this is in mandatory section, there is a default section as well and there is a default action as well. So same like policies in any other firewall either in ASA firewall, so name is there. Okay, so we were talking about access control policy. Basically this policy work and can combine many things like application, user, identity zone, URL, source, IP, destination, IP, source port, destination, port and so many things you can do in this policy like here you see zone, network, Vlane also you can put VLN user because identity policy is not configured, that’s why it’s showing this one application.

We will discuss application in detail, port, typical port, number 23, 24 and so on and URLs and then you can integrate with Cisco Ice as well and then inspection to apply the intrusion policy and file policy to control the file and also attacks. So you know, so many things you can put in this policy, that’s why it’s mentioned here and we can go up to layer three, layer four and layer seven because application work on layer seven so you can choose application as well. So it means it’s go up to layer seven. If you go to port, it means you go to up to layer four and layer three source IP and destination as well. Also keep in mind whatever these policies are there all these policy which we will discuss access control policy, intrusion, malware, DNS, all of them has to be connected to excess control policy. Later on, whenever we do intrusion, you need to come and integrate with excess. Whenever you do malware, you need to integrate with access control policy. When you do DNS policy, you have to integrate to access control policy same as identity, same as SSL and is mentioned here as well. Some of them here is pre filter policy. Choose from here where I am an excess control policy, SSL policy is here, identity policy is here, an intrusion policy and malware policy is here. Look at intrusion and file policy. So intrusion policy is also integrated to access control policy, file policy is also integrated to ACP, ACP is access control policy and SSL is also integrated here, identity is also integrated here, pre filter policy is also integrated here and security intelligent policy, DNS policy is also integrated here. So it means whatever you configure any policy, you have to come here to integrate them. So keep in mind that’s the main thing now how the policy is working, keep in mind two things from top to bottom and left to right the rule will be check. So I have this rule, suppose if I create another rule like an ACL, ABC, whatever and aid so now this rule will be check sorry, this rule will be checked from top to bottom.

First it will check allowed all and it will check the zone. So inside zone where it’s going to outside zone and network is inside subnet. Then it will come to this policy. If something is matched here, it will not go to this policy, you know? Yeah. And every firewall we know this concept. So from top to bottom it will be checked. Second thing is let me show you the first policy. It will check from top to bottom then left to right. So left to right there are many tab. First it will check that the source zone is inside. Then it will check the outside zone is this one. Then it will check the network is inside subnet if anything wrong this is end operator zone, network, VLAN, user application port, URL and these this is like an end. And what is end like if I say Daniel n sume the end sume the has to come means both need to come. If one of them is missing, it means the rule is not apply. There is R approter r means any of these but this is not R. It means it will check the zone. If zone is okay, then it will go to network if the network is inside. If the network is not inside they will discard the packet even though zone is correct. If suppose network is okay, it will check the user if the user is ali, if it is not it will discard even though the first three tab is okay, zone was inside, it was going outside, network was inside Vlane was ten but user is different so it know. Then it will check the application is the application is Http and Https. If not again then it will go to port, then URL. So you get what I’m saying? So it’s like an end operator. It will check one by one. If any of these is missing, then it will discard the packet. That’s why I say here between tap firewall is considered an end operator. And I already told you all the policy are combined here. Like a prefilter policy, security intelligent policy, DNS policy, SSL policy, identity policy all of them has to come to access control policy to work together. These policies are nothing but when you configure them, you need to integrate them to access control policy.

And then I told you how to create rule rule one, rule two and three. And there is a number as well by default if I say save so one, two, three and so on then the next thing is I will come to this one. Leave it this far. Now how to create so we can go to power sex control to create which we will do in the lab. But anyway and then when you assign okay, now let’s go to here just to discuss this access control policy. You can see the rules. So rules, you can search the rules here by source, by destination and so many things you can use to filter and show rule conflict. If there is any conflict between two policy, it will show you. Like Paul Wall to firewall. It was with some other name, but the concept was similar. Then add category by default. There are two categories, mandatory and default. Let me show you if I discuss those two here, so mandatory, it will check this policy first because it’s coming first. If anything not match here, then it will go to default one. So whenever you’re creating a policy, if it is important, put them in mandatory. If you click a ed rule and you give them any name so it’s asking you where you want to put. I say mandatory NAD. So now it will go to this year, you see n third one. So it means mandatory will check first because it’s coming from top to bottom. Then it will go to default one. End. Default one is a general rule which will be evaluated later on. Okay, so these two things are also clear to you. If you want, you can create your own category as well. Suppose I say sales and where. I want to put in default and mandatory. But this is the third category I want to create. So in default one, it’s okay. Now you will see there is a third category with sales and you can add rule. From here and this sales and you can put a rule from here as well. So either here and let me cancel them and if you say add rule so you can choose suppose here is where you want to put this it’s mentioned here. Sales. If you want to put them in mandatory, then it will go out. If you want to put them in default one. Okay. Sorry, in default one. Yes. And two category. So our category. Is sales. So you can put the rule here as well. Now let me say yes. Okay. So you can create category from here.

Category is nothing to a group of suppose sales. Any policy related to sales you can put them here so whenever you apply any rule it will work together and it will be easy to understand and easy to troubleshoot this is the only thing to create category. So we are done with this one to filter. We are done. This is one then the name. Source zone, destination source network, destination whatever in the policy is mentioned here then category and then aid rule. We will discuss this one prefilter policy when we configure SSL. Policy. And this one policy assignment means this one that this policy is to assign which device. So we have only one device, FTD. So it will show you that device. If you have more than one, you can add. Them as well. But right now it’s only policy assignment is integrated to one FTD and if you want to inherit setting if you have an old policy suppose if I have, let me see. We don’t have any policy. If you have a base policy, you can integrate and you can inherit those sitting directly to this policy. So this one is for that one. And save the sitting whenever you create a rule or category or do any changes. You need to save the changes. And if you don’t want, you can cancel. Just cancel and okay. Now, everything besides this allowed. All everything will be removed from here. It will be disappeared. So I think so I saved these two. Maybe so. Let’s see. Yeah, nothing only allowed. Also you can cancel them. And then what else? Here is okay then these things you can see. This is time range. If you want to put a time like a time based ACL. This one is intrusion policy.

Suppose if I enable intrusion policy so it will become a grade out here. So let’s change them and let me go to inspection and let me put any intrusion policy now. You will see the changes. You see now. It’s not grayed out. It’s a blake. This is grayed out because I put the intrusion policy. This is time. If you want, like a time based ACL, this is the time range I don’t have let me create quickly any time suppose time start and end and save I just want to show you just do this why? I put random anytime you see now this time is also now showing with test which I done. This one is related to file policy which we will do intrusion file policy will do if you enable right now, I don’t have if you enable file policy so this will become not grid out anymore, then this one is Safe Search. Safe Search if you want to enable like Google and all those things so you can enable Safe Search, we will discuss this in detail. So whenever somebody is searching like vulgar words or something so it will stop searching them. So you can enable save search. Now I enable. Now you will see this is not gray out and this one is YouTube like. Same as for save search. So this is for YouTube. So if I click on YouTube icon and let me enable YouTube. So whenever somebody is searching any video which is vulgar or something, so it will not show up here. So this one is for that purpose if you want to enable with integrated to this policy and the last one is this one to edit this policy this is the policy to edit them suppose if you want to change anything let me say yes. And this one to delete this policy. If you don’t need click and delete. And this way you can delete the policy. There is no policy. You can see. And that’s why this icon was showing there. And let me say cancel so because it will change them back to the policy which we have already. So let’s see there is allowed all policy bake yeah. Now, related to rule this is rule tab. Forget about this one. Secure and intelligent. We will do in detail, separately this one http response we will do now this one and logging we will do in detail again an advanced tab. We will do in detail. So forget about these steps. The only thing is right now we need to focus is access control policy rules. So you can create a rule to allow it or deny someone and you can put so many things to create your rule. So if I open this again so this is the name if you want to enable, if you want to move this, it’s already created to some other category. Okay you can remove it and you can put them up or down action we will do a bit later.

And these are the things which I already mentioned IPS and save search and all those things. Time range to create a time. It will work with their time only zone. So we have inside and outside zone right now if you have more. So you can put the zone here. Network you can put IP and you can put geolocation detail like a free kiss country name we discuss in last lecture. And network. Single IP, either. And you can create your own object as well from here click object. And you can create any object here either. You need to go to object to create them there. It’s the same thing to put them here and then to put them in the source either in destination and you can type directly as well. If you say no, I don’t need object, it’s okay, just put them directly. But every time you need to type them, object means you can inherit them and you can call them anytime. So this is the beauty of object. But if you don’t need, you can type in destination and source both VLN we don’t have right now VLAN if you have villain tag so you can put the VLN tag user. We will do a letter in the course. When you integrate your FMC to active directory then you will see the user here application. There are by default so many categories and by risk and also by categories. Okay. So you can put the category like a social networking. If I say social networking so when you click so it will show you all social networking application and aid rule. So all of them are added. And if you want to remove click remove now any if you need only single like let me go to I don’t know this one. So I just add single.

And if you click all then you can add and it will add all the application then port these are some port like http https ten net SSH if any of the port is not available. So you can type directly. Suppose destination port I say ICMP there is an ICMP or something. If not, I can type anything, but I’m just wondering ICMP will be good to show you anyway. Any port ESP in aid so you can put directly. Either you can use predefined object either you can create object as well, same thing for Ports. URL again, URL they have so many category and uncategory as well. And these are the category like a museum and so many category we will discuss in detail. And URL, these are by default some URL and you can add your own URL as well. URL object. Again we will do in detail. And this is related to ice if you want to integrate sgt. So you can check from here. Inspection if your policy is allowed then you can put intrusion policy if the policy is disabled sorry, you want block then no need of IPS IPS will not work because block means you block the traffic straight away no need to investigate them further. So that’s why it’s not showing. But if you say allowed, then intrusion policy you can apply. And also you can apply file policy. These two policy you can apply with allowed traffic, not with block traffic then logs if you want to generate logs at the beginning either at the end of the connection like TCP three way handshake and if you want to send even logs we will see even logs there and if you want to send them to Syslog Syslog. We just done it. Either you want to send them through SNMP so you can enable this One, and Comments. If You Want to put Any comments here for this Policy, you can put the comments. Now, the last thing related to access control policy is these things I’m used to with my old laptop. So I’m pressing to zoom it. So without zoom it’s, go to another window. The first one is allowed. Allow me to allow the traffic. It will check everything. IPS profile, control, everything. It will check and then it will allow the traffic. Trust means there will be no IPS. If I go to inspection, you see IPS and file control is not working intrusion means to check them for any intrusion things and file policy to check them this file is allowed or deny there is any viruses or something but if you trust someone so how you will say no?

Okay, give me, I want to search you. Suppose your brother came to you and you are working in sensitive organization, you will tell them that, okay, I will search you because you are my brother, you are my father, mother and okay, I will search you. No, I don’t trust you. So trust means there will be no further checking. But if you say allowed allowed doesn’t mean that the traffic is allowed. Yes, the traffic is allowed, but it will be checked by intrusion policy, it will be checked by file policy and more other thing will be checked, then the traffic can go even though it’s allowed. But if intrusion says no, then it will be denied. But in the case of trust, it means it’s like a bypass, you can say no intrusion, no file control, no nothing, and the traffic will go straight away. Two things then monitor monitor means just to generate the traffic and allowed the you know, the traffic, it will just generate the logs, sorry, it will generate the logs, but the traffic will be allowed, no intrusion, no nothing, but it will generate logs to check them, to monitor them, just what he is doing. Three things then block block means to straightaway block the traffic straight away but no message will be sent to the user. And then block with reset. So there will be a reset connection sent to the user TCP, three way handshake. Reset will be sent to the user. I will show you in the left. I’m just doing theory. So this is the difference between block and block with reset. And I give an example. In Paul Walto there was the same concept, you remember, I say in UK, when you refuse so even if you refuse a job, they will send you an email, either a letter that sorry, we refuse you, but in Asian country they will not send you anything.

So you may be thinking that maybe they will take me today, tomorrow in this way. So block like Asian country, block with reset to send you a letter that you are not hire this time and then interactive block. Interactive block means there will be a continue button, you need to press that button and then it will be continued. And this continues? I think so, for ten minutes or something. If I mentioned here, I just want to check it’s, ten minutes or something. By the way, we can check from here. Let me cancel this one and let me show you that interactive block will be for how long? If you go to advance here is allow interactive blog is 600 seconds, I think. So ten minutes here, I believe. Yeah, so ten minutes you will be allowed. Then again a Continue button will come. So when you click so you can use Internet or whatever the resources. So that one is called Interactive Block. And then Interactive Block with reset means combination of block with reset and Interactive block it will send you a reset as well. And also it will be a Continue button to show you. So these are the action which you can put on any rule. When you create a rule, you want to allow them, you want to trust them, you want to just generate logs, you want to block them straight away and no reply to send. Either you want to send a reply, either you want to give them a prompt to continue and either you want to reset and also give them a prompt. So these are the action which you can take and we will see in the lab one by one and I will show you how it is working but right now it’s a theoretical to how you can use them. Okay? I believe anything if I miss. Okay, the last thing is here there is a default policy as well. Let me cancel this one. You see there is a default action if it is checking everything from top to bottom, the last thing it will check this one if nothing is match suppose you have 100 rules, nothing has changed and it will come here. So we say access control block all traffic all of the traffic will be block but you can choose trust all traffic trust I told you in the rule and you can discover them and you can apply intrusion policy. There are different intrusion policy to attach we will see in the intrusion rule if you choose any of these there is extra thing came up to change the variable set but anyway we will discuss an intrusion but if you choose from here so this extra thing will not come up. The last thing is here is log. You want to generate log if somebody is deny this one, if the rule coming and at the end there is action to trust or not trust. Let’s suppose block so if somebody is block so, they will generate logs. If you want to see the logs. And this is displayed to display how many pages you want to see, right? Now only we have only one page and it will show you the logs here analysis and Events Logs it will show you all the logs here that’s why we want to enable the logs so whenever something goes so it will show us here. You see these are the logs so that’s why we enable logs there. So I show you this one when you choose intrusion policy there will be a dollar extra sign and this one is for logs and what else? Yeah that’s it. So this was excess control policy theoretically next time we will see them in detail and also we will see http response page as well. Okay?

34. Lecture-34:Configure and Verify HTTP Responses Pages in FMC.

Suppose if you are using a block action, you know, we just discuss here if you are in the security rule and let me edit this rule. So there is block block with reset, interactive block, interactive block with reset. Suppose if you choose a block, okay. So you need to use Http response page. It’s here. Here this one. Http response is by default block response page is none and interactive block response page is system provided. You can change this one to system provided as well and save by default it was none. So there is a system provided which is very limited only they say you are attempting to access forbidden site CONSERT your system administrator for detail. That’s it. You can change, you can customize it’s okay. But whenever something is blocked and you are not using Http response page so the user may thinking the internet is not working. It will be like this. Suppose he visits CNN. com and CNN. com is block. So it will be like this way. So it’s better to show them something. It’s like a banner. It’s like a web page which is Pavely in HTML code. And I show you as well. It’s in HTML code. If you click so this is HTML, HTML start, then head, then there is a title, then style, then body. Body close then header. H one is the header. You know the access denied. It will show you in peg and then paragraph start and then paragraph end and then body and HTML ended. So there are two type of Http responses page block response page. So block response page when you use action. When you use action block. So it will show this page. There are three options in this one none which is by default system provided which is the system provided. And then the custom one. We will see the custom one as well. And you can use whatever you like. If a system provided, you can use the magnifier to see the detail which I show you here. It’s like this one. If you see custom then it will change to pencil icon.

You know nada. Now click on pencil icon to edit them. And up to this much character you can apply three x sixes. Now if I remove one and see now three eight five. So you can customize them as well when the action is blocked. And it will be like this excess denied, just the default one. And you can choose if you say none. So you can choose none but it will be Http 40 four message to the user like this one. And if you want to customize so you can customize and you can put your own which I will show you and customize you just need the Http code to copy and paste then the interactive block response page. Because there are two options. Interactive block if you use rule interactive block here is interactive block. So then you will see a continue button. So when you press a continue button then you can continue the page. It’s continue and it’s by default I think. So ten minute yes which is 600 seconds. You can change the timer here if you want to. Suppose if you go to advance there is a loud interactive block bypass this 1600 seconds if you say edit. So you can change the value from here. But this is the default one. 602nd which is ten minute. Interactive will show you a continue. And when you continue for ten minutes, you can use those services. And again you need to press the Continue button. This is the only difference. And if you say custom so you can customize the interactive one just like a blog page. So let’s check out. Let’s go to rule. And let me create a new rule. Add rule to show you and I say from inside to outside. And let me say block social networking. And let me put this rule in mandatory on the top. And the action has to be block and network is my local subnet. This my source is anything. And let’s go to application and application. Let me type social networking. So here is social networking and aid rule. So port as anything URL as anything. I say block any social networking show a blog page. It means it will be block and say aid. So this one is block. You need to put this rule above the allowed one. And then let’s create a new rule for interactive block. So let’s say interactive block like a job search website. So I say if anybody from inside to destination is outside network is my inside and going to any destination. An application is like a job search. So let’s see there is any category to job search. Job search if not an application. We can check from URL category.

We can say job search here. And let’s add the rule job search. But this time action has to be interactive block and aid the rule. So basically I created two rule. Let me put this interactive block here. And one thing more, I need to enable this logs so that I can see the logs as well. So let’s go to log and log at the beginning and save. And let’s click on interactive block as well. Logging and this one. You know it’s very important to see from this one. So enable the logs. So basically I block social networking and I job searches interactive block. Let’s save the setting and deploy the setting now. Okay. But before let’s go to Http response page system provided it’s okay. And let’s click to deploy. Choose FTD and Deploy. And now after deploy what I need to do when I go to any social networking website. So it will show me a block banner, a block web page. If I go to any job search category it will show me interactive block web page. So when I press continue then I can go further. So let’s see, let me go to any inside PC like this one. PC one. Okay. And let me open any page. Let me open this one. So let’s make them ready. Right now I can visit anything and it will not block me. Suppose if I go to Facebook so it has to work and anything. Let’s see internet. Everything is working. So yeah, it’s working. Okay. And now let’s wait to deploy this setting. So these are very important.

Okay. Basically for end user. Otherwise they will get a page like this one. So let me go back and it’s almost 37%. Okay. And we can check from window as well. Let’s see. Okay, 75%. So when it’s deployed, then we can check out. And by the way, from here analysis we can see the logs as well. That’s why we enable the log. Okay. So we are still waiting. It take time to push the detail, push the configuration to FTD. So keep in mind we create two categories that if somebody is going to job searching website, show them interactive page. And if someone going to social networking website like a Facebook, Twitter. com, LinkedIn. com, then show them a block web page. So this is what we want to see. And then we will customize. We can customize as well. So I have a customized one block web page. This one you can search on Google and you can find you can put your own. Like this one, I put Cisco logo, you can put any logo or your company logo and whatever you want is complete. And let’s check out now. So let me go to http facebook. com and you will see access deny. You are attempting to access forbidden site. And the same is if I go to http twitter. com again, it will show me access deny. And let’s go to job search. Like I don’t know any job search website. Let me search any job website. So let’s go to job search website. Let me see, very famous one. Let’s see this one. Top ten job search. Best job search website. I just need one to test them. These two I tested from social networking. But I need some from job search so that you can show us the interactive. Okay. And let’s see now if I can check from somewhere. Oh my goodness. Let me see google. com search website links. I just need one.

Yeah, like a monster. Yeah, I got it. So let me type httpmonster. com is it correct to monster? Monster, monster. com. Continue. But here there is no continue. So this is blog page. This is interactive blog. It says continue. Now you can continue for ten minutes which is your default timer. And you see after a while it will take you to themonster. com. So this is the difference between these two. So there are two type of pages. Let’s modify one of the page. So let’s go to a policy access control policy. And let’s edit the policy. And let’s go to http responses. And I want block page with custom. And let’s put my one the custom one. And let’s select control a control v and save. Now I put my one with custom for block response page and save. Okay. And when I save let deploy this one. And let me deploy. Let me choose this one and apply. Now you will see this one is different, the other one will be different. Now keep in mind this one it looked like this one the black one. But now I change there will be a Cisco logo and more detail. Okay. So in this way you can check like a monster. com. You can see other like Google anymore. Let’s see if you want to test any other famous one. I just want to see any other until the rule apply. Yeah glass door I don’t know what is the website link.

There is a job. com as well. Let’s check out that one http job. So if it is file under a job search category so definitely it will show you the interactive block. You see job. com it says access deny. You may continue to the site by clicking on button below this one. And when you click then it will take you to the job. And now I’m in Job. So this is interactive blog and the other one is this one is there is no continue button. It’s blog. But I changed the banner to show you. So let’s go back and see. It’s 55% now. So this time you will see a different banner. And different banner especially for social networking which I say block this one. So it’s better to show them something rather than there will be an error page. And the user will maybe they may thinking that maybe the internet is not working or maybe something wrong. So it’s better to show them this page. So let’s check out it’s almost 83% and the only thing we need to check the custom banner. Okay. And also you need to put your blog policy on the top. So I put my blog policy on the top and allow policy the end. So it’s completed. Let’s go back and refresh. Look at now it’s a very good one. Cisco logo then X is denied and too much information. Now this the default one. And if I refresh now you will see a good one. So you can customize as per your company requirement. So this was Http responses page two type block response page which you can customize and you can use system provided and you can send none as well.

And then the second one is interactive blog. So interactive blog you can put them system provided, you can send none and you can customize as well. By default the timer is 600 seconds which is ten minutes. Okay. You can increase the timer as well which I show you from advanced page. You can increase if you go to policy access control policy and if you edit the policy policy, and if for some reason, if you want to increase the timer. So here is plug bypass, which is 600 seconds. Click on this pencil and you can change the value. Okay, done.

35. Lecture-35:Introduction and Concept of URL Filtering in FTD.

Resuming last time we done http banner. Now this topic is URL filter, URL filtering. Okay. So basically what is URL filtering? We discuss in other firewall as well this concept in Paul Alto firewall and 40 gate firewall and checkpoint, another firewall as well and system square. So basically when you want to control access to website based on URL category. So for that purpose, we are using URL filter. URL? We know Uniform Resource Locator. You know the complete link. Even though in URL there are many things I don’t want to go in that one date. And URL, the complete URL, there are parameters, there is domain name, then there is http https and so many things are involved there in complete URL. Okay. So if you but overall we call them website. The website link. Suppose here if I open something, let me open suppose WW, Google. com. So you can call this one URL complete URL. But there is Https as well. Then colon, then www Then Google is a domain name. And then when you put slash there is parameter and so many other thing and path. So this is called URL.

I believe the abbreviation is Uniform either universal resource Locator. So let me say URL stand for I forgot, sorry. Uniform, resource. Locator. Okay, so when you want to block any website and your enterprise network based on URL categories and reputation for that purpose you are using URL filtering and Cisco FTD. Now, what is category and reputation? We will discuss a bit later. So it means you can control the access to website based on reputation as well. Reputation is nothing but risk level. Like a malware URL links and so many other. So it means we have two things and URL categories and reputation to block the website for your enterprise network. So they will not access any malicious and any unwanted URLs which nothing but a website. So reputation is a risk level and categorized classification. They classify these website which they call them category. Why? So it will be easy for us in firewall to put category rather than going to every single website. And then type like suppose if your company manager told you to block social networking website. So it’s so easy. There is a category social networking. And basically just like Apollo Two, cisco FTD is also using what was called Bright Cloud. Bright cloud, URL. Yeah. So they are also using Bright Cloud for category. So if I check suppose Facebook. com and let me on this one. So they will tell me about this website. So they say reputation. This one reputation which I told you every website is categorized. So in reputation is good and it belongs to which category? It’s the category they say social networking. So it’s easy for us even if I say Twitter. com, sorry, Twitter, you need to put the captcha. So erase.

So this is also belong to social networking and that’s the reputation. So we have two things in URL and they are also using Bright cloud. Paul Alto are using their own key database and also Bright cloud same FTD is using Bright cloud y for category and for reputation base. So it’s easy for us. These two things, they already created categories. So if your manager told you to block social networking website, so you do need to search on Google, that okay, which website belong to social networking? Social networking, Twitter, LinkedIn and you will look there is 1000 and thousand website how you can make a category and then you will create your database and then you will say blog is. So rather than to do like manually to do all this job they said don’t worry, there is a category with the name social networking. Block that one. Any website fall in that one, maybe in the future they add another website, it will be blocked automatically. So this is the beauty of category. So that’s why they create category for us. Even though if you want you can do manual URL filtering as well. You can do single website, you can block URL either website. I will say website so that you people understand easily. We can make a group up URL to block. We can create a list in PDF and notepad sorry, like I create just this one, twitter. com, Facebook. com, Flicker. com, MSN, Yahoo so you can create a list as well. And you can use Feeds as well. Feeds we will discuss a bit later. Feeds is nothing but a list. Which dynamic list you can say. Then keep in mind one thing more, some website belong to more than one category. Maybe some website like a LinkedIn. If I say LinkedIn maybe it belonged to, I don’t know but let me check some website, I can’t remember this time but maybe like ebay and some website maybe belong to LinkedIn. Let me check LinkedIn because it’s recruitment as well and also social networking. So I don’t think so. Yeah it’s also coming under social networking but I can’t remember any website. If I remember then I will type and I will show you that some link URL website can belong to more than one category. Keep in mind this and well because in real world you may face some issue. So you need to know that okay, that’s why it’s blocked because it’s also belonged to this category as well. So it’s also clear because now we are discussing URL filtering. Theoretically after this we will do a lab. So then what is the advantage is to use URL filtering and their built in category and reputation.

So you know it will simplify your policy as well. They already have a built in category, just call them and you have a clean and clear policy. Just apply and block or allow something. So policy will be created easily and simplify as well. And administration will be easy for us. If you are using category, if you are using single one by one. So it will be a huge list of policies to create. Okay, so this is done, this is URL filtering. Then we discuss two things category and reputation. So category is a classification they classify like an Ebay belong to action category monster belong to job search, facebookwitter. com belong to social networking. So this is a classification which they already classified all the website. Yeah, keep in mind there may be some website which is not categorized. Suppose a local website somebody created today some website like a local website belong to their maybe their shop or something or your personal website. So maybe this is not categorized.

You can face this issue as well. In real world, sometimes some website is block either it’s not allowed because it’s not coming under any category. So you need to manually create a policy for such website. In real world I’m talking so you will face this issue. So keep in mind there may be a chance some website which is not under any category or classification. So like ebay belong to action like a monster belong to job search and Twitter, Facebook, Flickr. com belong to social networking and so on. So these are category which we will see in the lab. There are built in so many categories if I go to policy and I’m already in policy if I create a rule. So this is our topic. We already discuss access policy this URL and you see there is categories like added category, alcohol, arts and action and so many business and industry. The one which we normally know so that I will go dating. So they have built in so many categories but not limited to this one. You can create your own as well from here and then URL. These are category.

Okay? And here is a reputation which we were talking about. Okay then the second thing, you can create a policy based on reputation. Reputation has been divided from level one to level five. These are reputation. Let me go to these are one to five. In version 6. 7 they changed the name before the name was high risk suspicious site, binagan side with security risk binigan side and will not. They just changed the name and the new version. But the slide I have from the old one because this 6. 7 came recently and we started. So they changed the name from untrusted, questionable, natural and favorable entrusted. So this one is more risky. Best to tell them high risk than suspicious site. So they categorize them all the website. So suppose your manager said that I don’t want any high risk website. So high risk website can belong to social networking, it can belong to action, it can belong to job search, it can be any. So in this way it will be again easy for you to apply. Don’t worry about this table. I will explain you a bit later when we will do a lab because I mentioned that I is a high risk. So it will be black and this will be suspicious. Will be allowed. This will be allowed. So make a confusion that Y is allowed here. So I will tell you when we go to lab. Let me explain you a bit. Suppose if I choose untrusted and the action is allowed, let’s see. So what they have done, okay? It’s not showing there. We need to drag them because they need to show me. Yeah, it’s coming now. Here, let me make them. Yeah, okay, let me choose another one because it’s huge there’s, not showing. So let me so it’s from two to five day block. Sorry, allowed. It’s amazing. I choose questionable, but the action is allowed. Keep in mind, the down is showing here is not completely showing. I just need to if I can drag them or something, okay, it’s not possible. So what I can do, let me take a screenshot of this one, because my main purpose is to show you that one. Okay, why it’s not okay. You can see from here, it says that any accept uncategory reputation from two to five and unknown what they done. When I say two allowed, so it’s allowed from two to five, even though I say only allowed. This one, two to five. Yeah. Let me take action as a block.

You see, it will change. Now, its reputation is one to two. Now means this one, the higher one. So when your action is blocked and you choose two, so it will block one as well, the high risk as well. If I choose three, so it will block 1232 and one as well. If I block four, so it will block because action is blocked, so it will block 4321. Okay. Because this need to refresh or something, click properly, okay? No. Sorry, Ed. So now you will see, let me show you. Now you see one to four. One to four. Yeah. Let me just change the action to allowed and allowed and add this one. Now you will see a difference, four to five only. So that’s why this table when we do a laybi will show you. That’s why it’s allowed. Allowed. So you don’t confuse. That why it’s like this. So let’s take action based on your allowed art blog. Okay? Now, next thing is before you do URL filtering, you require a license. It’s required a separate license. There are many license. One is base license, then base plus URL and Palo Alto as well. They require extra URL license when you want to do URL filtering and other firewall is well in FortiGate also do the same. They say if you want URL filtering, you need to buy extra license. The same thing is for Cisco FTD as well. And also you need to enable URL filtering from system integration.

So the first thing you need to check that is enable or not. So go to this small system and then this one in configuration. Go to integration and check out that URL filtering is enable. It will take automatic update. You can update as well from here. And the second option is query Cisco cloud for unknown URL. The one which I was talking about, maybe some URL which is not categorized. So you can send that report to Cisco. If for some reason you say that no, for my company I don’t want to share anything. So you can off them as well and save from here. And from here it now is up to date. Now URL filtering the category of Bright Cloud. So enable automatica. It has to be enabled now. So it’s already enabled by default it was enabled, no need. And the second option I enable suppose any website which is not categorized. So I will send the request to what is called a Cisco so they can categorize them properly. That’s the first thing. Second thing is require a license. Check out that you have URL license or not, otherwise it will not work. So we can check a license if we go to system and last time we install a license. So we’ll need to go to Smart license, which we activated for lay purpose.

47 days is still left there and let me go to our firewall FTD. Okay, so base license is working. Malware is a separate license, thread is a separate license. And here is URL Filter. So you can see it’s enable on our FTD as well. So URL filter license is activated. So done. So two things you need to do, you need to enable and then you need to check your license is there or not. Also you can verify this one from device go to device management and all those devices, because we have only one device and routed mode. You can check from here as well licenses. So it’s a base license and when you were them, because it’s not showing properly. So if you check from here, either if you mouse or say Malware and URL filter, so it means it’s there, it’s showing health check. Okay, so for help check. Okay, so you can check from here as well. Just let me send a ping from here because it says that the device is not available. Okay, it’s working when you are not sending any traffic. So it will give you that we are not receiving any packet here. After a while it needs to go now, because I send some traffic from here, after a while it will go out. Okay, so this was URL filtering. Okay, this we will do in next video. But let me go up. So now we know what is URL filtering and what is category and what is reputation. And why we need category and reputation. So I said a faster way to create your policy. It will be easy, it will be simplified rather than to do your manual job. So they already done for you category classification. Just like I give an example like any Facebook, these are in social networking, adult and all those categories are already there. And also you can use a reputation based on reputation. You can block any website, belong to any category. Another step, you can do it. Okay. And then we check what we need to do URL filtering. So it’s required to enable URL filtering. Second is required a license which you can check from two places from license and also you can go to device and check there that URL filtering is enabled or not.

• Category: Uncategorized